diff options
-rw-r--r-- | accounts/gkleen@sif/ssh-hosts.nix | 4 | ||||
-rw-r--r-- | flake.lock | 42 | ||||
-rw-r--r-- | flake.nix | 7 | ||||
-rw-r--r-- | hosts/surtr/email/ca/.gitignore | 4 | ||||
-rw-r--r-- | hosts/surtr/email/ca/index.txt | 1 | ||||
-rw-r--r-- | hosts/surtr/email/ca/serial | 2 | ||||
-rw-r--r-- | hosts/surtr/matrix/default.nix | 10 | ||||
-rw-r--r-- | overlays/lego.nix | 10 | ||||
-rw-r--r-- | overlays/postfix-mta-sts-resolver.nix | 2 | ||||
-rw-r--r-- | overlays/prometheus-node-exporter.nix | 15 | ||||
-rw-r--r-- | overlays/spm/default.nix | 6 |
11 files changed, 43 insertions, 60 deletions
diff --git a/accounts/gkleen@sif/ssh-hosts.nix b/accounts/gkleen@sif/ssh-hosts.nix index 0265190b..24d1f18c 100644 --- a/accounts/gkleen@sif/ssh-hosts.nix +++ b/accounts/gkleen@sif/ssh-hosts.nix | |||
@@ -378,6 +378,10 @@ | |||
378 | { hostname = "mail-mi01.mathinst.loc"; | 378 | { hostname = "mail-mi01.mathinst.loc"; |
379 | proxyJump = "mathw0h"; | 379 | proxyJump = "mathw0h"; |
380 | }; | 380 | }; |
381 | "mail-www02" = | ||
382 | { hostname = "mail-www02.mathinst.loc"; | ||
383 | proxyJump = "mathw0h"; | ||
384 | }; | ||
381 | "dpl-fai01" = | 385 | "dpl-fai01" = |
382 | { hostname = "dpl-fai01.mathinst.loc"; | 386 | { hostname = "dpl-fai01.mathinst.loc"; |
383 | user = "root"; | 387 | user = "root"; |
@@ -11,11 +11,11 @@ | |||
11 | "utils": "utils" | 11 | "utils": "utils" |
12 | }, | 12 | }, |
13 | "locked": { | 13 | "locked": { |
14 | "lastModified": 1653594315, | 14 | "lastModified": 1659725433, |
15 | "narHash": "sha256-kJ0ENmnQJ4qL2FeYKZba9kvv1KmIuB3NVpBwMeI7AJQ=", | 15 | "narHash": "sha256-1ZxuK67TL29YLw88vQ18Y2Y6iYg8Jb7I6/HVzmNB6nM=", |
16 | "owner": "serokell", | 16 | "owner": "serokell", |
17 | "repo": "deploy-rs", | 17 | "repo": "deploy-rs", |
18 | "rev": "184349d8149436748986d1bdba087e4149e9c160", | 18 | "rev": "41f15759dd8b638e7b4f299730d94d5aa46ab7eb", |
19 | "type": "github" | 19 | "type": "github" |
20 | }, | 20 | }, |
21 | "original": { | 21 | "original": { |
@@ -80,11 +80,11 @@ | |||
80 | "utils": "utils_2" | 80 | "utils": "utils_2" |
81 | }, | 81 | }, |
82 | "locked": { | 82 | "locked": { |
83 | "lastModified": 1658924727, | 83 | "lastModified": 1662759269, |
84 | "narHash": "sha256-Fhh9FK9CvuCLxG1WkWJPoendDeXKI4gHYTfezo1n2Zg=", | 84 | "narHash": "sha256-lt8bAfEZudCQb+MxoNKmenhMTXhu3RCCyLYxU9t5FFk=", |
85 | "owner": "nix-community", | 85 | "owner": "nix-community", |
86 | "repo": "home-manager", | 86 | "repo": "home-manager", |
87 | "rev": "0e2f7876d2f2ae98a67d89a8bef8c49332aae5af", | 87 | "rev": "9f7fe353b613d0e45d7a5cdbd1f13c96c15803dd", |
88 | "type": "github" | 88 | "type": "github" |
89 | }, | 89 | }, |
90 | "original": { | 90 | "original": { |
@@ -105,11 +105,11 @@ | |||
105 | ] | 105 | ] |
106 | }, | 106 | }, |
107 | "locked": { | 107 | "locked": { |
108 | "lastModified": 1657089034, | 108 | "lastModified": 1662635943, |
109 | "narHash": "sha256-qSjk1iOi14ijAOP6QuGfE3fvy08aVxsgus+ArwgiyuU=", | 109 | "narHash": "sha256-1OBBlBzZ894or8eHZjyADOMnGH89pPUKYGVVS5rwW/0=", |
110 | "owner": "DavHau", | 110 | "owner": "DavHau", |
111 | "repo": "mach-nix", | 111 | "repo": "mach-nix", |
112 | "rev": "51caf584f26acdfaa51bbf7ee1ffa365aea7bc64", | 112 | "rev": "65266b5cc867fec2cb6a25409dd7cd12251f6107", |
113 | "type": "github" | 113 | "type": "github" |
114 | }, | 114 | }, |
115 | "original": { | 115 | "original": { |
@@ -121,11 +121,11 @@ | |||
121 | }, | 121 | }, |
122 | "nixpkgs": { | 122 | "nixpkgs": { |
123 | "locked": { | 123 | "locked": { |
124 | "lastModified": 1659009481, | 124 | "lastModified": 1663071011, |
125 | "narHash": "sha256-BRM5R7AMKa58NAJnZsmWsVhDxuGllnhTvpVEZ+sP49I=", | 125 | "narHash": "sha256-HjPb5iEwKwyNpnkn4Wo2hptAU5TAmfXd30mxemXPBtg=", |
126 | "owner": "NixOS", | 126 | "owner": "NixOS", |
127 | "repo": "nixpkgs", | 127 | "repo": "nixpkgs", |
128 | "rev": "2d9b7cb5f0a41da95fccc120acf730fd20d8598d", | 128 | "rev": "0caf7675ec9b90ab9ad309d7a993a13798eeaa26", |
129 | "type": "github" | 129 | "type": "github" |
130 | }, | 130 | }, |
131 | "original": { | 131 | "original": { |
@@ -137,11 +137,11 @@ | |||
137 | }, | 137 | }, |
138 | "nixpkgs-22_05": { | 138 | "nixpkgs-22_05": { |
139 | "locked": { | 139 | "locked": { |
140 | "lastModified": 1658634393, | 140 | "lastModified": 1662864125, |
141 | "narHash": "sha256-VW7edeFzA9VU8gZPxPFGpoPsM2AQLYHKhA9H5+OYtno=", | 141 | "narHash": "sha256-AtjyEFK7Zp9+hOOUNO1/YZRADV/wC94R3yeKN8saUK4=", |
142 | "owner": "NixOS", | 142 | "owner": "NixOS", |
143 | "repo": "nixpkgs", | 143 | "repo": "nixpkgs", |
144 | "rev": "2e14bc76ab41c60ba57fd57ff52badaa29d349f5", | 144 | "rev": "e6f053b6079c16e7df97531e3e0524ace1304d4d", |
145 | "type": "github" | 145 | "type": "github" |
146 | }, | 146 | }, |
147 | "original": { | 147 | "original": { |
@@ -179,11 +179,11 @@ | |||
179 | "pypi-deps-db": { | 179 | "pypi-deps-db": { |
180 | "flake": false, | 180 | "flake": false, |
181 | "locked": { | 181 | "locked": { |
182 | "lastModified": 1658996715, | 182 | "lastModified": 1663059297, |
183 | "narHash": "sha256-U5WLiaMoEMvbkGHSHmNVRNzpXPJ0S87ZsB4iwZtp6eI=", | 183 | "narHash": "sha256-JaD4mhUOLJRNaepE50fOUfaSYRNwMhobyj8HGIxosiQ=", |
184 | "owner": "DavHau", | 184 | "owner": "DavHau", |
185 | "repo": "pypi-deps-db", | 185 | "repo": "pypi-deps-db", |
186 | "rev": "3c9aa49a06c1c80791ea412e04fbd9d71e463f9c", | 186 | "rev": "8aa6ec60bf7ed12c1e1705a2f28be63d8eee4386", |
187 | "type": "github" | 187 | "type": "github" |
188 | }, | 188 | }, |
189 | "original": { | 189 | "original": { |
@@ -212,11 +212,11 @@ | |||
212 | "nixpkgs-22_05": "nixpkgs-22_05" | 212 | "nixpkgs-22_05": "nixpkgs-22_05" |
213 | }, | 213 | }, |
214 | "locked": { | 214 | "locked": { |
215 | "lastModified": 1658635258, | 215 | "lastModified": 1662870301, |
216 | "narHash": "sha256-EC8y3Rg+l9IzIUdOaFSA0LMdDipTRoweg1Y2EL8XhMc=", | 216 | "narHash": "sha256-O+ABD+WzEBLVH6FwxKCIpps0hsR6b5dpYe6fB3e3Ju8=", |
217 | "owner": "Mic92", | 217 | "owner": "Mic92", |
218 | "repo": "sops-nix", | 218 | "repo": "sops-nix", |
219 | "rev": "d7f8cf1b77ebe5f287884f17b1ee4cc4f48bad1d", | 219 | "rev": "20929e1c5722a6db2f2dbe4cd36d4af0de0a9df0", |
220 | "type": "github" | 220 | "type": "github" |
221 | }, | 221 | }, |
222 | "original": { | 222 | "original": { |
@@ -14,7 +14,6 @@ | |||
14 | repo = "home-manager"; | 14 | repo = "home-manager"; |
15 | ref = "master"; | 15 | ref = "master"; |
16 | inputs = { | 16 | inputs = { |
17 | flake-compat.follows = "flake-compat"; | ||
18 | nixpkgs.follows = "nixpkgs"; | 17 | nixpkgs.follows = "nixpkgs"; |
19 | }; | 18 | }; |
20 | }; | 19 | }; |
@@ -78,11 +77,11 @@ | |||
78 | inherit (lib) nixosSystem mkIf splitString filterAttrs listToAttrs mapAttrsToList nameValuePair concatMap composeManyExtensions mapAttrs mapAttrs' recursiveUpdate genAttrs unique elem optionalAttrs isDerivation concatLists concatStringsSep fix filter makeOverridable foldr; | 77 | inherit (lib) nixosSystem mkIf splitString filterAttrs listToAttrs mapAttrsToList nameValuePair concatMap composeManyExtensions mapAttrs mapAttrs' recursiveUpdate genAttrs unique elem optionalAttrs isDerivation concatLists concatStringsSep fix filter makeOverridable foldr; |
79 | inherit (lib.strings) escapeNixString; | 78 | inherit (lib.strings) escapeNixString; |
80 | 79 | ||
81 | accountUserName = accountName: | 80 | accountUserName = accountName: |
82 | let | 81 | let |
83 | accountName' = splitString "@" accountName; | 82 | accountName' = splitString "@" accountName; |
84 | in elemAt accountName' 0; | 83 | in elemAt accountName' 0; |
85 | accountHostName = accountName: | 84 | accountHostName = accountName: |
86 | let | 85 | let |
87 | accountName' = splitString "@" accountName; | 86 | accountName' = splitString "@" accountName; |
88 | in elemAt accountName' 1; | 87 | in elemAt accountName' 1; |
@@ -132,7 +131,7 @@ | |||
132 | (outputs: { _file = dir + "/${path}"; } | 131 | (outputs: { _file = dir + "/${path}"; } |
133 | // outputs | 132 | // outputs |
134 | // { imports = defaultUserProfiles userName ++ (outputs.imports or []); }); | 133 | // { imports = defaultUserProfiles userName ++ (outputs.imports or []); }); |
135 | 134 | ||
136 | mkUserProfile = userName: dir: path: profileName: | 135 | mkUserProfile = userName: dir: path: profileName: |
137 | let | 136 | let |
138 | profileModule = overrideModule (import (dir + "/${path}")) | 137 | profileModule = overrideModule (import (dir + "/${path}")) |
diff --git a/hosts/surtr/email/ca/.gitignore b/hosts/surtr/email/ca/.gitignore index adafac92..af29cdfa 100644 --- a/hosts/surtr/email/ca/.gitignore +++ b/hosts/surtr/email/ca/.gitignore | |||
@@ -3,4 +3,6 @@ | |||
3 | *.old | 3 | *.old |
4 | *.crt | 4 | *.crt |
5 | *.pkcs12 | 5 | *.pkcs12 |
6 | certs \ No newline at end of file | 6 | *.p12 |
7 | certs | ||
8 | index.txt.bak \ No newline at end of file | ||
diff --git a/hosts/surtr/email/ca/index.txt b/hosts/surtr/email/ca/index.txt index 40c9605a..cbaf96b2 100644 --- a/hosts/surtr/email/ca/index.txt +++ b/hosts/surtr/email/ca/index.txt | |||
@@ -1,2 +1,3 @@ | |||
1 | V 320513204402Z 03 unknown /CN=gkleen | 1 | V 320513204402Z 03 unknown /CN=gkleen |
2 | V 320515063648Z 04 unknown /CN=nmuehlbauer | 2 | V 320515063648Z 04 unknown /CN=nmuehlbauer |
3 | V 320910104724Z 05 unknown /CN=mwgnr | ||
diff --git a/hosts/surtr/email/ca/serial b/hosts/surtr/email/ca/serial index eeee65ec..cd672a53 100644 --- a/hosts/surtr/email/ca/serial +++ b/hosts/surtr/email/ca/serial | |||
@@ -1 +1 @@ | |||
05 | 06 | ||
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index e3a52f9a..46c2f338 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix | |||
@@ -111,7 +111,7 @@ with lib; | |||
111 | ProtectClock = true; | 111 | ProtectClock = true; |
112 | ProtectHostname = true; | 112 | ProtectHostname = true; |
113 | 113 | ||
114 | ProtectHome = "tmpfs"; | 114 | ProtectHome = true; |
115 | ProtectKernelLogs = true; | 115 | ProtectKernelLogs = true; |
116 | 116 | ||
117 | ProtectProc = "invisible"; | 117 | ProtectProc = "invisible"; |
@@ -123,7 +123,7 @@ with lib; | |||
123 | 123 | ||
124 | SystemCallArchitectures = "native"; | 124 | SystemCallArchitectures = "native"; |
125 | SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"]; | 125 | SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"]; |
126 | 126 | ||
127 | RestrictSUIDSGID = true; | 127 | RestrictSUIDSGID = true; |
128 | RemoveIPC = true; | 128 | RemoveIPC = true; |
129 | NoNewPrivileges = true; | 129 | NoNewPrivileges = true; |
@@ -174,7 +174,7 @@ with lib; | |||
174 | ${corsHeaders} | 174 | ${corsHeaders} |
175 | ''; | 175 | ''; |
176 | return = "200 '${builtins.toJSON { | 176 | return = "200 '${builtins.toJSON { |
177 | "m.server" = "synapse.li:443"; | 177 | "m.server" = "synapse.li:443"; |
178 | }}'"; | 178 | }}'"; |
179 | }; | 179 | }; |
180 | "= /.well-known/matrix/client" = { | 180 | "= /.well-known/matrix/client" = { |
@@ -198,7 +198,7 @@ with lib; | |||
198 | sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; | 198 | sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; |
199 | extraConfig = '' | 199 | extraConfig = '' |
200 | add_header Strict-Transport-Security "max-age=63072000" always; | 200 | add_header Strict-Transport-Security "max-age=63072000" always; |
201 | 201 | ||
202 | add_header X-Frame-Options SAMEORIGIN; | 202 | add_header X-Frame-Options SAMEORIGIN; |
203 | add_header X-Content-Type-Options nosniff; | 203 | add_header X-Content-Type-Options nosniff; |
204 | add_header X-XSS-Protection "1; mode=block"; | 204 | add_header X-XSS-Protection "1; mode=block"; |
@@ -240,7 +240,7 @@ with lib; | |||
240 | "synapse.li".certCfg = { | 240 | "synapse.li".certCfg = { |
241 | postRun = '' | 241 | postRun = '' |
242 | ${pkgs.systemd}/bin/systemctl try-restart nginx.service | 242 | ${pkgs.systemd}/bin/systemctl try-restart nginx.service |
243 | ''; | 243 | ''; |
244 | }; | 244 | }; |
245 | }; | 245 | }; |
246 | 246 | ||
diff --git a/overlays/lego.nix b/overlays/lego.nix deleted file mode 100644 index 363b32da..00000000 --- a/overlays/lego.nix +++ /dev/null | |||
@@ -1,10 +0,0 @@ | |||
1 | { prev, ... }: { | ||
2 | lego = prev.lego.override { | ||
3 | buildGoModule = args: prev.buildGoModule (args // { | ||
4 | patches = (args.patches or []) ++ prev.lib.lists.singleton (prev.fetchpatch { | ||
5 | url = "https://patch-diff.githubusercontent.com/raw/go-acme/lego/pull/1501.patch"; | ||
6 | hash = "sha256-hLuWX607T8tcqljpBzEADViZd2FABkCgjNCLXMyWpuA="; | ||
7 | }); | ||
8 | }); | ||
9 | }; | ||
10 | } | ||
diff --git a/overlays/postfix-mta-sts-resolver.nix b/overlays/postfix-mta-sts-resolver.nix index 1d8f0188..a06dace5 100644 --- a/overlays/postfix-mta-sts-resolver.nix +++ b/overlays/postfix-mta-sts-resolver.nix | |||
@@ -22,5 +22,7 @@ | |||
22 | }); | 22 | }); |
23 | }) | 23 | }) |
24 | ]; | 24 | ]; |
25 | |||
26 | _.pyparsing.buildInputs.add = with final.python310Packages; [ flit-core ]; | ||
25 | }; | 27 | }; |
26 | } | 28 | } |
diff --git a/overlays/prometheus-node-exporter.nix b/overlays/prometheus-node-exporter.nix deleted file mode 100644 index de5b15f2..00000000 --- a/overlays/prometheus-node-exporter.nix +++ /dev/null | |||
@@ -1,15 +0,0 @@ | |||
1 | { prev, ... }: { | ||
2 | prometheus-systemd-exporter = prev.prometheus-systemd-exporter.overrideAttrs (oldAttrs: { | ||
3 | patches = oldAttrs.patches or [] ++ [ | ||
4 | (prev.runCommand "cpu-unified.diff" { | ||
5 | src = prev.fetchurl { | ||
6 | url = "https://github.com/pelov/systemd_exporter/commit/2880a8dd1ca4909e51a569093284fad47343016a.diff"; | ||
7 | hash = "sha256-i6sptiCdXmOqK5kfjLbIupctM34RqDahAE/39+35dRI="; | ||
8 | }; | ||
9 | buildInputs = with prev; [ patchutils ]; | ||
10 | } '' | ||
11 | filterdiff -x '**/CHANGELOG.md' $src > $out | ||
12 | '') | ||
13 | ]; | ||
14 | }); | ||
15 | } | ||
diff --git a/overlays/spm/default.nix b/overlays/spm/default.nix index 5c820d9c..05a8f013 100644 --- a/overlays/spm/default.nix +++ b/overlays/spm/default.nix | |||
@@ -4,9 +4,9 @@ let | |||
4 | # defaultPackages = (import ./stackage.nix {}); | 4 | # defaultPackages = (import ./stackage.nix {}); |
5 | # haskellPackages = defaultPackages // argumentPackages; | 5 | # haskellPackages = defaultPackages // argumentPackages; |
6 | # haskellPackages = argumentPackages; | 6 | # haskellPackages = argumentPackages; |
7 | haskellPackages = final.haskell.packages.ghc923.override { | 7 | haskellPackages = final.haskell.packages.ghc924.override { |
8 | overrides = self: super: { | 8 | overrides = self: super: { |
9 | warp-systemd = final.haskell.lib.doJailbreak (super.warp-systemd.overrideAttrs (oldAttrs: { meta = oldAttrs.meta // { broken = false; }; })); | 9 | warp-systemd = final.haskell.lib.doJailbreak (super.warp-systemd.overrideAttrs (oldAttrs: { meta = oldAttrs.meta // { broken = false; }; })); |
10 | servant-server = super.servant-server.overrideAttrs (oldAttrs: { | 10 | servant-server = super.servant-server.overrideAttrs (oldAttrs: { |
11 | patches = []; | 11 | patches = []; |
12 | }); | 12 | }); |
@@ -34,7 +34,7 @@ let | |||
34 | in path: _type: builtins.match "^frontend(/.*)?$" (relPath path) == null; | 34 | in path: _type: builtins.match "^frontend(/.*)?$" (relPath path) == null; |
35 | src = ./.; | 35 | src = ./.; |
36 | }; | 36 | }; |
37 | 37 | ||
38 | postPatch = '' | 38 | postPatch = '' |
39 | ${oldAttrs.postPatch or ""} | 39 | ${oldAttrs.postPatch or ""} |
40 | 40 | ||